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[57] ABSTRACT 

A seed random sequence is extended in successive 
nodes of a tree structure of a random sequence genera- 
tor. At each node, an input sequence is expanded to an 
output sequence substantially greater than the length of 
the input sequence. Plural processors operate in parallel 
in generating the final output sequence, and subse- 
quences may be directly accessed as a starting location 
of the output sequence. The random sequence generator 
is accessed by an index in an encryption system. In a 
sequential generator, less than all of the bits from the 
generator unit are reapplied to the generator unit in an 
iterative process. 

60 Claims, 3 Drawing Sheets 
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PSEUDO-RANDOM SEQUENCE GENERATOR 

BACKGROUND OF THE INVENTION 

A random number generator (RNG) is an efficient 
device that transforms short random seeds into long 
pseudo-random strings. A classical RNG is the linear 
congruential generator (LCG) that is based on the re- 
cursion x,+ i=ax;+b(mod N). It is well known that the 
LCG passes certain statistical tests, e.g., for a clever 
choice of the parameters a,b,N it generates well mixed 
numbers (see Knuth 1980), There are more elaborate 
statistical tests which the LCG fails. Stern (1987) shows 
that the sequence generated by the LCG can be inferred 
even if the parameters a,b,N and the seed xo are all 
unknown. 

The concept of a perfect random number generator 
(PRNG) has been introduced by Blum, Micali (1982) 
and Yao (1982). A RNG is perfect if it passes all polyno- 
mial time statistical tests, i.e., the distribution of output 
sequences cannot be distinguished from the uniform 
distribution of sequences of the same length. So far, the 
proofs of perfectness for the known PRNG's are all 
based on unproven complexity assumptions. This is 
because superpolynomial complexity lower bounds 
cannot be proven. 

Perfect random number generators have been estab- 
lished, for example, based on the discrete logarithm by 
Blum, Micali (1982), based on quadratic residuosity by 
Blum, Blum, Shub (1982), based on one way functions 
by Yao (1982), and based on Rivest/Shamir/Adleman 
(RSA) encryption and factoring by Alexi, Chor, Gol- 
dreich and Schnorr (1984). All these PRNG's are less 
efficient than the LCG. The RSA/RAB IN-generators 
are the most efficient of these generators. They succes- 
sively generate log N pseudo-random bits by one modu- 
lar multiplication with a modulus that is N bit long. 

Disclosure of the Invention 

In accordance with the present invention, a random 
sequence generator generates a random sequence from a 
seed random sequence which is of substantially shorter 
length. Most likely, the seed would be truly random and 
the generated sequence would be pseudo-random, but 
the term "random" is used to include both random and 
pseudo-random sequences. The generator performs a 
tree operation by extending, at each node of a tree struc- 
ture, a node input random sequence. A plurality of node 
output sequences of the tree structure together com- 
prise a final random output sequence. The final random 
output sequence is preferably generated as successive 
leaves of the tree structure. The tree structure allows 
for direct access to any leaf as a starting leaf of a se- 
quence. The parallel structure of the tree allows for 
generation of the sequence with parallel processors 
which, but for initial seeds, may operate independently 
of each other. 

In a preferred embodiment, each node input sequence 
is extended by the RSA operation 

< y=fl*x*+fl e .|jc*- I + . . . +aijc+ao(mod N) 

where e, a* a^i, . . . , ao and N are integers, the node 
input sequence represents x and the node output se- 
quence represents y. In a preferred system, the RSA 
function is reduced by setting all a's equal to zero except 
one, a*, which is set to equal one. The greatest common 
divisor of d and Euler's Totient function <f>(N) is equal 
to one. Specifically, N is the product of two large ran- 
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dom primes p and q t and d is an integer that is relatively 
prime to (p— 1) (q— 1), preferably 3. 

In either a sequential or a tree operation, the final 
sequence is generated in iterative steps. At each step, a 

5 new string of bits is obtained by applying a function to 
significantly less than all of the bits of a previous string. 
At least part of the bits of a previous string to which the 
function is not applied are utilized toward the output, 
either directly or with application of the function in a 

10 tree structure. 

One application of the random sequence generator is 
in an encryption system. An encryption unit performs a 
transform between an encrypted message and a nonen- 
crypted message using the random sequence generated 

^ by the random sequence generator. An index may be 
applied to the generator to indicate the leaf of the tree at 
which the sequence applied to the encryption unit be- 
gins. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a schematic illustration of a random se- 
quence generator having an output sequence y greater 
in bit length than an input sequence x. 
25 FIG. 2 is an illustration of a random sequence genera- 
tor having a tree structure in accordance with the pres- 
ent invention, each node comprising a generator as 
illustrated in FIG. t. 

FIG. 3 illustrates a multiprocessor system for per- 
3Q forming the tree structure of FIG. 2. 

FIG. 4 illustrates an encryption system utilizing the 
generator of FIG. 2. 

FIG. 5 illustrates a sequential polynominal generator. 

FIG. 6 is another illustration of a sequential polyno- 
35 mial generator. 

FIG. 7 is another illustration of a parallel polynomial 
generator. 

FIG. 8 is an illustration of yet another parallel poly- 
nomial generator. 

40 DESCRIPTION OF PREFERRED 

EMBODIMENTS 

An electronic random number generator, or random 
sequence generator, takes an input sequence of some 

45 number of bits which represents an input x and extends 
that sequence to a sequence of bits which represents a 
number y, the number of bits representing y being 
greater than the number of bits representing x. There 
are many functions which can easily extend the number 

50 m of bits by a factor of about 2. Difficulties in designing 
random generators exist, however, when substantially 
longer output sequences are required from a given 
length seed sequence. At some length, degradation of 
the output, such that it can no longer be considered 

55 random, is encountered. 

In accordance with the present invention, a random 
sequence need only be expanded by a factor of about 2 
in the generator 12. With such a short output sequence, 
the output can be considered near perfectly random. In 

60 accordance with the present invention, that perfectly 
random output is further extended in successive opera- 
tions of the same generator 12 in a data processor tree 
structure illustrated in FIG. 2. The initial input se- 
quence is first expanded by a factor of about 2 in a 

65 generator 12A. Portions of the output sequence from 
generator 12A are applied to respective inputs of gener- 
ators 12B and 12C. Each of those generators then fur- 
ther expands the random sequence. For example, por- 
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tions of the output from generator 12B are applied to message M is encrypted in a sending unit 14, transferred 

the inputs of respective generators 12D and 12E. over publicly accessible communications link 16 as an 

It will be recognized that the output sequence of the encrypted message C and decrypted to readable form at 

generator need not have exactly twice the number of a receiving unit 18. Each of the sending and receiving 

bits of the input sequence. Some bits from a larger out- 5 units comprises an encryption unit, the encrypter 20 of 

put sequence may be ignored, or there may be overlap the sending unit 14 and the decrypter 22 of the receiving 

in the bits applied to the respective generators if the unit. The two units also have identical random sequence 

number of bits in the output y is less than twice the generators 24 and 26 which are of the form illustrated in 

number of bits in the input x. Also, no particular portion FIG. 2. 

of the output sequence need be passed on to each sue- 10 Conventional encryption systems utilize a random 
cessive generator. Further, although a binary tree is sequence, which is shared by both the sending and re- 
most convenient, tertiary and wider trees may be used. ce iving units but is unknown to the public, to first en- 
It is recognized that for a short output sequence yo, crypt the meS sage and then decrypt the message. The 
yi, y 2 . . . , the binary tree adds unnecessary operations ran dom sequences must be transferred from one unit to 
in the overall generation. With a tree of K levels of 15 anomer in a secure fashion for later use. To maintain the 
generators, K operations would be required to generate secur ity of the system, longer sequences are best used 
the bit sequence y 0 . However, any sequence y/ of the ^ each encryption, and different sequences are best 
ycK-ljsequences can be accessed with the same num- ^ m successive encryptions. This ordinarily requires 
ber of operations, and for a very long sequence the tree that cithcr a { random sequence be transferred, 
becomes efficient because each simple generator opera- 20 Qf ^ Qnl a ^ x be transferred and that a random 
turn in the tree supports generation of plural sequences ce tor ^ ^ tQ £Xtend ^ seed x 
y/provided at the leaves of the tree. Thus to provide a a drawback of conventional random sequence gener- 
finai sequence formed of 2^-1 leaves, each of a prede- atQrs fa ^ th ^ m ^tu^md thus the 
termined bit length, the tree need only perform (2* — 1) . / \ j r *i. u • • * 
operations through K generator leveh ^ This process can 25 Sequence must bc the Tp* 0 ™** to f 
be made very rajid by the use of parallel processors, as * wtfhm the overall sequence. An 
illustrated by FIGS. 1 and 3. SfT* 86 * Z I ^ ? " that 
FIG. 3 illustrates four random generators G 0 , Gt, G 2 *f ^ m ^ d ^ accessible by merely speci- 
and G 3 which may operate independently of each other. ^ to that sequence through the tree as by an 
Each generator receives a sequential node input se- 30 md< ? l ' ^ m the s y stem of "G. 4, an index i is 
quence from a respective random access memory, appkedto the sequence generator 24 at the sending unit 
RAMo, RAM,, RAM 2 , RAM 3 , and outputs a longer t0 access a sequence which begins at y,. That index is 
sequence which is itself stored in the respective RAM ^ commumcated to the receiving unit so that the 
for application to the generator at successive nodes of t**™ sequence beginning at y,- can be generated for 
the tree. At the first node of the tree, only generator Go 35 decryption. Thus, by securely transferring a short seed 
performs an operation. A portion of its output is re- x ™ d Providing each of the units with an identical se- 
tained in RAMo, and a portion is transferred by the quence generator, any extended portion of the entire 
CPU to RAM 2 . In the next level of the tree, generators sequence y 0 , yi, . . . , y (2 K) can be accessed by an index 
Go and G2 perform their respective operations to pro- l > ^ tne first subsequence of the accessed sequence is 
vide extended node output sequences. A portion of the 40 obtained in K operations. 

output from Go is again stored in RAMo, and another A preferred generator for use at each node of the tree 

portion is stored in RAMi. Similarly, a portion of the o f FI °. 2 is a simplified RSA generator in which the 

output from generator G2 is stored in RAM2, and a input sequence is extended by the modular operation 

portion is stored in RAM 3 . Output sequences from the y=ax*(mod N)» where N is the product of two large 

nodes need only be stored until input to both nodes of a 45 random primes p and q, and d is an integer that is rela- 

lower level. From FIG. 2, it can be seen that, in all tively prime to (p-1) (q-1). Preferably, a equal 1, 

levels of the tree below the third, the processors and d=3, and the bit length of x is short relative to the bit 

associated RAMs may operate independently. It can be length of N. For example, the bit length of x may be § 

seen that four processors reduce the processing time for that of N. 

a full length sequence almost to one-fourth the process- 50 The full RSA function, presented by Rivest et al. in 

ing time of a single generator. Additional processors U.S. Pat. No. 4,405,829, is as follows: 
will of course further reduce the processing time of a 

large binary tree. y=a t x e +a e .\x?'* + ... . +aix+ao(mod N) 

In some applications, such as in cryptography, it may 

be desirable to have a very long random sequence avail- 55 where e, a* a^j, . . . , aoand N are integers. For security, 

able but to be able to select a different starting point there should be at least one a^ of a,?, a^i, . . . , a3 which 

within the sequence for each encoding operation. The is not equal to zero, and the greatest common divisor of 

binary tree structure of FIG. 2 allows any subsequence d and Euler's Totient function <£(N) is equal to one. One 

yj to be accessed in K operations by simply defining the such d is 3. 

path through the binary tree to that leaf. Successive 60 The advantage of the function y=x 3 (mod N) where x 

leaves may then be generated with relatively few addi- is short relative to N is that the output sequence is near 

tional operations because of the shared nodes through twice the length of the input sequence with only two 
the tree. In other applications, a more rapid output of multiplications by x and a division by N to determine 

the initial subsequences may be desired. In that case, the the remainder. Hie same number of operations would 

initial subsequences may be output from nodes other 65 be required for d=4, but the output would not be so 

than the leaves at the lower level of FIG, 2. perfectly random unless some bits of (information 

FIG. 5 illustrates an encryption system utilizing the about) y=x d (mod N) are discarded. Even so, the output 

. random sequence generator of FIG. 2. In the system, a would be longer than the input sequence. 
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In prior uses of the RSA function in random genera- 
tors, an extended output from a seed is generated by 
iterative operations of the function while outputing a 
limited number of bits from each operation. Therefore, 
with each operation of the RSA function, a number of 5 
bits less than the number of input bits would be output 
in the output sequenced A longer output sequence is 
obtained only by continued iterations of the RSA opera- 
tion. Subsequences y/ are not accessible directly, and 
multiple processors cannot perform independently in 10 
parallel to more rapidly generate the sequence. In the 
present system, the full output of a single RSA opera- 
tion, or at least a number of bits greater than the number 
of bits in the input, is applied to the next level of the 
binary tree. Subsequences are directly accessible, and l5 
parallel processing can be used to great advantage. 

As noted above, from each operation of the generator 
G, a number of bits greater than the number of bits in 
the input to the generator are utilized toward the final 
output Because of the security of the particular RSA 2 o 
function utilized in the generator, even sequential gen- 
erators having this feature may be designed as illus- 
trated in FIG. 5. In this figure, each of the generators G 
may perform the RSA function y=x d (mod N). The bit 
length of each output y of each generator is significantly 25 
longer than the bit length of each input. Thus, less than 
all of the bits output from each generator are applied to 
the next generator. A significant number of bits, particu- 
larly those not applied to the next generator, are avail- 
able for output 3Q 

This sequential generator allows for the very rapid 
generation of a relatively long sequence. It is much 
more rapid than the usual generators based on the RSA 
function because such generators reapply the full output 
sequence from each generator to the next generator in 
the iterative process, and only a few bits are output 
from each step of the process. Because of the high secu- 
rity of the particular RSA function chosen in the pres- 
ent application, fewer bits need be applied to each gen- 
erator, for more rapid processing at individual genera- ^ 
tors, and a larger number of bits may be output from 
each individual generator, for more rapid output of the 
full random sequence. The sequential generator of FIG. 
5 does suffer the disadvantage of the typical RSA gen- 
erator in that individual subsequences of the output are 
not directly accessible. 

A more theoretical discussion of the function used in 
the generator G and of the parallel tree structure and 
sequential generator follows. 

We extend and accelerate the RSA-generator in vari- 
ous ways. We give evidence for more powerful com- 30 
plexity assumptions that yields more efficient genera- 
tors. Let N=pq be product of two large random primes 
p and q and let d be a natural number that is relatively 
prime to <^(N)=(p— l)(q— 0- We conjecture that the 
following distributions are indistinguishable by efficient 55 
statistical tests (see Hypothesis 2.1): 

the distribution of x rf (mod N) for random xef^N 2 /**). 

the uniform distribution on [1,N]. 
This hypothesis is closely related to the security of the 
RSA-scheme. Under this hypothesis the transformation 60 

stretches short random seeds xetl.N 27 ^ into a pseudo- 
random numbers x^(mod N) in the interval [1,N]. We 65 
build various random number generators on this trans- 
formation. The sequential polynomial generator (SPG) 
generates from random seed x€[l f N 2/rf ] a sequence of 



6 

numbers x— xi t X2, . . . , xi, , . . <[x»N 2/£i l- The n(l-2/d) 
least significant bits of the binary representation of x,^(- 
mod N) are the output of x/ and the 2n/d most signifi- 
cant bits form the successor X/+ 1 of x,*, where n is the 
number of bits in N. 

It follows from a general argument of Goldreich, 
Goldwasser, Micali (1986) and the above hypothesis 
that all these generators are perfect, i.e. the distribution 
of output strings is indistinguishable, by efficient statisti- 
cal tests, from the uniform distribution of binary strings 
of the same length. The sequential generator is nearly as 
efficient as the LCG. Using a modulus N, that is n bit 
long, it outputs n(l-2/d) pseudo-random bits per itera- 
tion step. The costs of an iteration step x— >-x rf (mod N) 
with x^l^N 2 ^ corresponds to the costs of a about one 
full multiplications modulo N. This is because the evalu- 
ation of x rf (mod N) over numbers x^N 2 ^ consists al- 
most entirely of multiplications with small numbers that 
do not require modular reduction. 

We extend the SPG to a parallel polynomial genera- 
tor (PPG). The PPG generates from random seed 
x€[l,N2 /d ] a tree. The nodes of this iteration tree are 
pseudo-random numbers in [UN 2 ^ with outdegree at 
most d/2. To compute the successor nodes y(l), . . . , 
y(s) and the output string of node y we stretch y into a 
pseudo-random number y^(mod N) that is n bit long. 
Then the successors y(l), . . . , y(s) of y are obtained by 
partitioning the most significant bits of y rf (mod N) into 
s^d/2 bit strings of length [2n/d] . The output of 
node y consists of the remaining least significant bits of 
y^(mod N). Any collection of subtrees of the iteration 
tree can be independently processed in parallel once the 
corresponding roots are given. In this way m parallel 
processors can speed the generation of pseudo-random 
bits by a factor m. These parallel processors need not to 
communicate; they are given pseudo-independent input 
strings and their output strings are simply concatenated. 
The concatenated output of all nodes of the iteration 
tree is pseudo-random, i.e. the parallel generator is per- 
fect The PPG enables fast retrieval of substrings of the 
pseudo-random output To access a node of the iteration 
tree we follow the path from the root to this node. After 
retrieving a bit the subsequent bits in the output can be 
generated at full speed. Iteration trees of depth at most 
30 are sufficient for practical purposes; they generate 
pseudo-random strings of length 10 20 (for outdegree 4) 
such that individual bits can be retrieved within a few 
seconds. 

The Complexity Assumption for the Polynomial 
Random Generator 

Let P(x) be a polynomial of degree d^2 with integer 
coefficients and let N be an integer that is n bits long, i.e. 
2"- I ^N<2". We denote 1= [2n/dJ . Residue classes 
modulo N are identified with the corresponding inte- 
gers in the interval [1,N]. 

The polynomial generator is based on the transforma- 
tion 

[1,M]» P(x)modN (!) 

where x ranges over a sufficiently large subinterval 
[1,M] of [I,N]. We would like that the outputs of (1), for 
random xc[l,M] and given N, M and P, be indistinguish- 
able from random ye[l,N]. The following conditions 
and restrictions are clearly necessary, 
the modulus N must be difficult to factor since given 
the factorization of N we can easily invert (1). 
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M must be sufficiently large to make P(x)/N large for is difficult to invert when d t N are given but <f>(N) and 
almost all X€[1,M], This is because we can easily e=d- l mod<f>(N) are unknown. All known methods for 
invert (1) provided that P(x)/N is small. inverting RSA-enciphering require the factorization of 

P(x) must not be a square polynomial. If P(x)=Q(x) 2 n, 
for some polynomial Q then the Jacobi-symbol 5 We are going to show that the following hypothesis is 

closely related to the security of the RSA-scheme. Our 
random number generators will rely on this hypothesis. 

Hypothesis 2.1 Let d^3 be an odd integer and 
1= [2n/d| . For random NeSn such that 
. t c „ , , 10 gcd(d,<J>(N))=l and for all M=0(2O the following dis- 

is 1 for all x whereas prob tributions on [1,N] are indistinguishable by polynomial 

time statistical tests: 

K\ -1 r/ \ -1 the uniform distribution on [I,N], 

JL 1= 1 J= prob I ( jf y -» I x^(mod N) for random xc[l,MJ. 

15 We explain the hypothesis in more detail. The con- 

r j n xn c- T ^ , cept of a statistical test has been introduced by Yao 

for random y«Ufl. Since the Jacobi-symbol can (19g2) A polynomial ^ statistical test ^ a ce 

£0^ P(X> T-ff^ 

P(x) must not be a linear transform of a square poly- 20 P o £* 0n ^ *■» * *J>. Accordmg ; to .Yao it is 
nomial. If P(x)=aQ(x)2+b we can, from P(x) mod t0 consider stat,stlcal Wlth W-output 

N, recover Q(x) 2 mod N and check that hei 

Pn T =ptob[T„{)>,ty = l) 

be the probability that T„ outputs 1. The probability 

space is that of all integers NeS n with gcd(d,(f>(N))=l, 

\ir u~ xT\ J fw\ 4. * . A . j • all numbers ye[l,N] and all 0-1 sequences of internal 

We choose N.M.PO0 as to correspond to these condi- cok M ^ Let 



25 



tions. Let N be a random number that is uniformly 
distributed over the set 30 



Pn T m 



I N - p . q for distinct primes ^| be thc same probability with random numbers yc[l,N] 

such that I"'*-' <: a , * 2"/2 replaced by y=x^(mod N) for random xe(l,M]. The 

I ^ 9 / 35 hypothesis means that for every polynomial time statis- 

tical test T and all M„=0(2O 
of integers that are products of two distinct primes 

which each is n/2 bits long. We choose arbitrary M that ^ 
are proportional to 2' f M=0(2O; i.e. l/c^2'/M^c for .. . T -tv^,, n r „ 

some absolute constant c>0. Then M is proportional to 40 T " Pn ( fl)i = ' > 

N^for all NeS„. The choice for the polynomials P(x) 

seems to be subject to only a few restrictions. We are We say that the statistical test T c-rejects RSA-cipher- 

going to study a particular class of permutation polyno- texts x rf (mod ^ of random x£ 
mials where the hypothesis below can be justified by 

known theory. These are the RSA-polynomials 45 _ T 
P(x)=x<*with d relatively prime to <f>(N)=(p- l)(q- 1). [1, Mn] ,f W ~ Pn (A/n)l a *" 

Rivest, Shamir and Adleman (1978) have invented , . _ . , „,„ t , r 

the RSA-cryptoscheme that is based on the multiplier for infimtel y man Y *• If ( 3 ) holds for all polynomial time 

tive group statistical tests T we call RSA-ciphertexts x^(mod N) of 

random messages xe[l,M,J pseudo-random in [l,N]. In 

zv={x(mod N)\gcd(?c.N)=\} 50 this case the distributions of x^(mod N) for random 

x£[l,M n ] and the uniform distribution on [1,N] are 

of residue classes modulo N that are relatively prime to called indistinguishable. 

N. The integer N is product of two odd primes, N«p.q. In general two sequences of distributions (D n )„ e 

The order of the group Z* lV is <f>(N)=(p-l)(q-l). The and (D n ) ne H are called indistinguishable if for every 

transformation 55 po l. time statistical test (T^eft. that is given random 

inputs with respect to D„(D m resp.) the probability 

x— »jr (mod N) (2) 

with gcd(<j>(N),d)=l is a permutation on the residue Pn T (Pn T * 
classes modulo N, i.e. it permutes the integers in the 60 

interval [1,N]. The inverse transformation is given by res P'> of 0Ut P ut 1 satlsf y lim 
x— x e (mod N) where e = d~ l mod<f>(N). The permuta- 
tion (2) with gcd(<(>(N),d)= 1 and d^=l is an RSA-enci- \Pn T - Pn T \n-' = 0 
phering function. The enciphering key d does not reveal 

the inverse key e provided that (£(N) is unknown. 65 fordl t£0. In case of indistinguishable distributions 

Knowledge of <£(N) is equivalent to knowing the factor- D nf D rt and if D„ is the uniform distribution on set C rt 

ization N=p.q. The security of the RSA-scheme relies then random elements with respect to D n are called 

on the assumption that RSA-enciphering x— ►x^mod N) pseudo-random in C„. In case of pseudo-random pairs 



03/31/2004, EAST Version: 1.4.1 



4,944,009 

9 10 

(x,y) we call x and y pseudo-independent. A random 

number generator is called perfect if it transforms ran- pA _ (p-^ 

dom seeds into pseudo-random strings. 

It can easily be seen that the Hypothesis 2.1 can only (resp.) is the probability that AL on input yc[l,N] out- 
fail if RSA-enciphering leaks partial information on 5 puts \ t xh e probability space is the set of all y€[l,N], 
RSA-messages. distributed according to D (with uniform distribution, 

Fact 2.2 Suppose Hypothesis 2.1 fails. Then given d resp.) and of all 0-1 sequences of internal coin tosses of 

and N we can distinguish between RSA-ciphertexts algorithm AL. Using this notion we can reformulate 

x<*(mod N) of random messages x«[l,N] and of random Theorem 2.3 as follows. 

messages x£[l,M n ] for some M n — 0(20- 10 Corollary 2.4 Let d, N be integers such that 

Proof The transformation x— >-x rf (mod N) permutes gcd(d,<£(N))= 1. Every probabilistic algorithm AL, that 

the integers in the interval [1,N], The RSA-enciphering CAr-rejects RSA-ciphertexts x rf (mod N) of even random 

x**(mod N) of random messages xe[l»N] is uniformly messages x can be transformed (uniformly in N) into a 

distributed over [l t N]. If Hypothesis 2.1 fails the uni- probabilistic algorithm for decoding arbitrary RSA- 

form distribution can be distinguished from RSA- ciphertexts. This deciphering algorithm terminates after 

ciphertexts x rf (mod N) for random X€[1,M„]; i.e. RSA- at most 

ciphertexts x^(mod N) would leak information on 

whether the message x is contained in [ItMJ. QED Oitrf n 3 ) 
We do not claim that the RSA-scheme breaks down 20 

if the hypothesis fails. This is because messages in the elementary steps (i.e. /v operations, RSA encryptions 

interval [1,2{| are rather unlikely. Nevertheless the hy- and calls for AL). 

pothesis is close to the security of the RSA-scheme. We next show that Corollary 2.4 remains valid if we 

Using the following Theorem 2.3 we can relate the replace RSA-ciphertexts of random even messages x, by 

hypothesis to RSA-security (see Corollary 2.5). 2 5 RSA-ciphertexts of random messages xe[l,N/2]. 

Theorem 2.3 Alexi, Chor, Goldreich, Schnorr (1985) Corollary 2.5 Let d, N be odd integers such that 

Let d,N be integers such that gcd(d,<j>(N))= 1. Every gcd(d,4>(N))= 1. Every probabilistic algorithm AL, that 

probabilistic algorithm AL, which given the RSA-enci- «iv-rejects RSA-ciphertexts x rf (mod N) of random mes- 

phering x^modN) of a message x, has an ^advantage sages xe[l,N/2] can be transformed (uniformly in N) 

in guessing the least significant bit of the message x can 30 mto a probabilistic algorithm for decoding arbitrary 

be transformed (uniformly in N) into a probabilistic RSA-ciphertexts. This deciphering algorithm tenni- 

algorithm AL for deciphering arbitrary RSA-cipher- nates after at most 
texts. The deciphering algorithm AL, when given for 

input x^mod N)» d and N, terminates after at most O^" 8 « 3 ) 

35 

n 3j elementary steps. 

Proof For odd N and all x€[l,N] we have 

elementary steps and outputs x with probability at least x€ [i,N/2]^2x<mod N) is even. 

We count for elementary steps the Z N operations 40 We sec from ^ equivalence that the foUowing dis- 

(addition, mulnphcation division) RSA-encryptions tributions m identical for odd N: 

and calls for algorithm XL at umt cost. We say that xrf(mod ^ for random X£tl , N/2 ], 

algorithm AL has an 6^-advantage in guessmg the least , 2 - V(mod N) for random even y € [l,N]. 

significant bit of x if 45 Moreover we ^ transform in polynomial time y^(mod 

N) into 2 _rf y rf (mod N). Thus an e/y-rejection of RSA- 

prob[^zMmod jvw) - *(mod 2)] £ 1- + encipherings x rf (mod N) of random messages xe[l,N/2] 

can be transformed (uniformly in N) into an cyv-rejec- 

m . , ... tion of RSA-ciphertexts y^mod N) of random even 

The probability space is the set of all x€[l,N] and all 0-1 [1N] corollary 2.5 follows from Corollary 2.4 by 

sequences of internal com tosses, with uniform probabil- tn ^ transformation. 

ltv ' Under the assumption that the RSA-scheme is safe 

By Theorem 2.3 the security of the RSA-scheme with Corollary 2.5 proves a slight modification of our hy- 

parameters N, d implies that the following two distribu- pothesis. The interval [1,20 of Hypothesis 2.1 is re- 

tions cannot be distinguished given only N and d: 55 p i ace d by the interval [l f N/2] in this modification. This 

the uniform distribution on [1,N], p0 ses the question whether the length of the interval is 

x^mod N) for random, even xc[l,N]. crucial for the hypothesis to be valid. We next show 

Everyone who is able to distinguish these distributions that Hypothesis 2.1, with the interval [1,2*] replaced by 

can decode arbitrary RSA-ciphertexts x**(mod N) given the interval 
only N and d. We will present in Corollary 2.4 a more ^ 

formal version of this statement. ^ ^2-1'°* «!] 

We say that a probabilistic algorithm AL e/v-rejects 

the distribution D on [1,N] if is valid tf the RSA-scheme is safe. 

Theorem 2.6 Let d, N be odd integers such that 

65 gcd(d,(f>(N))=: 1. Every probabilistic algorithm AL, that 

\p* - p~ A \ % <jv e/v-rejects RSA-ciphertexts x*(mod N) of random mes- 
sages x€[l, N2~*] can be transformed (uniformly in N) 

where into a probabilistic algorithm for decoding arbitrary 
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RSA-ciphertexts. This deciphering algorithm termi- 
nates after at most 

then we can speed up the presently known attacks to the 

elementary steps. RSA-scheme. 

Proof Under the assumption that the RSA-scheme is It remains the question whether the computational 

safe, Alexi et alii (1985) have shown that the log n least properties of the distribution x d (mod N) change when x 

significant bits of RSA-messages x are pseudo-random io ran S es over verv sma11 integers x. In fact Hypothesis 2. 1 

when given x<*(mod N), d and N. Their proof transforms does not hold for the interval [l,Ni/<*] since we have 

every algorithm that €^rejects RSA-encipherings x^<N for all xc[l,N^ and therefore RSA-ciphertexts 

x<*(mod N) of random messages x satisfying x-0(mod **** N) can i easily be deciphered for xe[\ l,Ni"). On 

2*), (uniformly in N) into a probabilistic algorithm for * e othe f 1 W u thc d :? 0 ^ e w * °l ™£ ^ f ° f 

deciphering arbitrary RSA-ciphertexts. This RSA-deci- " ^ * "™ b ^ et ^ ^ conjecture that this is 

phering procedure terminates after at most t0 ma * e fi *■* * **<™ d N) 

K & r hard. This is justified because inverting the squaring 

0(2 2 * ejj* n 3 ) x— x 2 (mod N) 

20 

elementary steps (i.e. 2 /^-operations, RSA-encipher- is known to be as hard as factoring N, and the squares 
ings and calls for algorithm AL). x 2 are of order N 2 , too. 

For odd N and all x£[l,N] we obviously have We w« S° m S to study the question whether Hypoth- 

esis 2.1 should be extended to polynomials P(x) that are 
x€[l,N2-*]w*x<mod N)=0(mod 2*). 25 more general than RSA-polynomials P(x)=x d with 

gcd(d»4>(N))= : l. There is an obvious extension of Hy- 

Therefore the following two distributions are identi- pothesis 2.1 to arbitrary exponents d£2. It seems that 
cal for odd N: tne condition gcd(d,<(>(N))=l is not necessary for odd 

x rf (mod N) for random xe[l,N2-*], d * But we must modify the hypothesis for even d since 

2-*V(mod N) for random y € [l,N 2-*] satisfying 30 the /acobi-symbol gives efficient information on the 
v=0(mod 2*1 quadratic residuosity. We formulate the extended hy- 

XM 1 e - i 'w// j pothesis so that it can be applied in the proof of Theo- 

Moreover we can transform m polynomial time y*(mod ^ 3 { tQ perfect P ^ G v, For reasons of effi- 

N) mto 2-*Wmod N) . Thus an €//-rejection of RS A- ci we „ particularly mteres ted in even exponents 
ciphertexts x*(m°d N) of random messages xe[l,N 2**] 35 d ^ in exponents that are powers of 2. 
can be transformed (uniformly in N) into an Civ-rejec- Extension to even d of Hypothesis 2.1: For random 
tion of RSA-ciphertexts y^(mod N) of random messages N€S„, all M=d(2) t random X€[1,M] and y:=x^(mod N), 
y satisfying y=0(mod 2 k ). Corollary 2.6 follows from z:= fy/2 n -H the following holds, 
this transformation and the above mentioned proof of (1) y and z^(mod N) are pseudo-random quadratic 
Alexi et alii (1985). 40 residues, 

Notice that the time bound for the RSA-deciphering (2) the number y(mod 2»-() is pseudo-random in 
algorithm of Corollary 2.6 is polynomially related to the [l,2 rt - / ], 

time bound of algorithm AL provided that k^log n. (3) z rf (mod N) and y(mod 2«~0 are pseudo-independ- 

Hence if Hypothesis 2.1 fails, with the interval [1,21 ent . 

replaced by the interval [1, N2- f*r «~| ], then RSA- 45 ™ e ^ ten ^i^?^ si f can be J ustI ff d \ | he work 

cijhertexts can be deciphered in polynomial time. Also of A ! e * * ^ < 19 * 4 > f ° r * e case that » • B1 ™ te ; 
■ f u *u ■ ^ * r -i -*u *u • * i n m i j g er » l - e - N is product of two pnmes p and q such that 
.f Hypothesis 2.1 fads, with the interval [1,21 replaced 4) ^ q=3(mod P ^ Wy . £ 

y t einerv does not matter that y=x rf (mod N) ranges over qua- 

50 dratic residues. None of the disjoint parts z and y(mod 
xr— 2"-0 of y contains efficient information on the qua- 

], dratic residuosity of x rf (mod N). The dependence of z 

and y(mod 2"-0» by the quadratic residuosity of y, is 
then RSA-ciphertexts can be deciphered in time hidden bv the transformation z— z<*(mod N). 

55 Next we consider arbitrary polynomials P(x) of de- 
gree d. We are going to show that some elementary 
Q{ \^ ) methods for distinguishing random numbers ye[l,N] 

e and P(x) mod N for random xef^N 2 /^] do not work. 

Theorem 2.7 is a first step in this direction. This prob- 
However the fastest known algorithm for RSA-deci- 60 lem clearly deserves further study, 
phering, via factoring N, requires about In general we can invert the transformation 

x^P(x)modN (1) 

0.693 N ntogn 

e 65 only if the factorization N=pq is given. Then, using 

Berlekamps algorithm for polynomial factorization we 
steps, where 0.693 sslog2. Thus if Hypothesis 2.1 fails invert (1) modulo p and modulo q and apply the Chin- 
for the interval ese remainder construction. This can be done in proba- 
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bilistic time (nd)°(i). Without knowing the factorization x/ + 1 of x/ is the number corresponding to the other bits 
of M we do not know how to invert (1). We can how- of P(x,) mod N, 
ever invert factors P(x) of x4K^0 provided that we know 

the cofactor x<K*)/P(x) but then we can factor N. */+ 1 |A*r) mod N/i"- 7 ] . 

Can we invert (1) for small integers x? If | P(x) |/N is 5 
small we can guess z = P(x) and factorize P(x) — z. Theo- The sequential polynomial generator as illustrated in 
rem 2.7 below shows that |P(x)|/N is large for almost FIG. 6. 
all xcfl.N 2 ^ provided that P(x) has degree^N l/2rf . Let the k-output of the SPG 
This degree bound is necessary since there exist polyno- 
mials of degree N 2 ^ that vanish on the intervall io 

[l,N2/rfJ. k 

Theorem 2.7 Let Afrd be integers such that sro w <*iV) - » Out<*/) 

M^(BN) I/rf 16Ad, and let P(x)e [x] have degree d. ' 

ITjen we have prob[|P(x)| 5BN]31/A for random ^ the concatenated output of the ^ k gteps . 

X€ hL r t * u *u a- *; * i u • 15 Notice that the most significant bits of P(x/) mod N 

Proof Let xi, . , . , xjt be the distinct real numbers in u . , , t , . : /v c xt 

[0,N] satisfying PO^-BW for i- 1, . . . , k. We have " e bia *f d on the most agruftcant bits of N. 

k£2d since P(x)2 has degree 2d, We partition the real Even thoa * the most &l ^ c f 1 bl * of *W mod * 

interval [0,M] into 4Ad intervals of length M/(4Ad). A m not P^udo-random we can form from these bits the 

fundamental theorem in approximation theory (see e.g. 20 successor x/ + t of x,. This is because the generator prop- 

Stiefel (1969), p. 236) implies that ert y 811(1 Hypothesis 2.1 imply that P(x,) mod N is pseu- 
do-random for random numbers x/c[l,M] for all M pro- 

u portional to 2h We could fix M to 2' if the SPG would 

( M \ _m , . not ^ at ^1 the 1 most significant bits of P(x,) mod N, 

m«[P(x) \x €i\ * |^g^- J 2 ^ ^ would fonn 0ut(x/ ) ^ x/+ , from the n _i i eas t 

significant bits. 

for each of these intervals I. Hence Theorem 3. 1 Suppose that P has the generator prop- 

erty. Then for random N€S„, random xet^N 2 ^ and 
polynomially bounded k (i.e. k = k(n) — n°0 )) the k-out- 
( m \ 30 P ut SPGA,p(x,N) of the sequential polynomial generator 

max[| m\x € /] > ^-jsjj- J js pseudo-random. 

Proof For random NeS n and random xi€[l,N 2/rf ] the 
This shows that every interval I, that contains an inte- numb< * p (*i) m °<* /Wfl » Pseudo-random It fol- 
ger x satisfying |P(x)|*BN, must also contain some lows * e b " stnng Out(x0 € {0,l pseudo-ran- 
point x/, l^i^k^2d. The intervals I that contain some 35 dom that the number X2€[l,2 / ] is pseudo-random, 
point x/ can have at most We ^ see that the (OuK*i), x *) is pseudo-random. 

It follows from the generator property and since X2 is 
pseudo-random that 

U (w + 1 + 24 w (Out(xi)Out(x2)^ 3 )=(5^,Xxi.^V)^3) 

. t . A c . is pseudo-random, too. To prove this claim we replace 

integer points. This accounts for at most a fraction of • * s *i i * ^ V rv \ r /r\ */ \ rx Kr \ 
° K m a statistical test T=(T„)„ € for z:=(Out(xi) Out(x2), 

X3) either (Out(x2), X3) or Out (x\) by independent ran- 

-^j- + -~- s \/A 45 dom objects generated through internal coin tosses. 

This transforms T into statistical test for P(X2) mod N 

of the points in [l t M]. (P(xi)mod N, resp.). If z is €„-rejected then either P(x 2 ) 

The Sequential and the Parallel Polynomial Genera- mod N or p ( x >> mod N is («/r/2)-rejected. In either case 

t or this yields a statistical test that (c rt /2)-rejects P(xi) mod 

In this section we build several RNG's on polynomi- 50 N. 
als P(x) of degree dS2 that have the following genera- By induction on k the same argument proves that 
tor property. The generator property formulates Hy- 
pothesis 2.1 for arbitrary polynomials P(x). <&>Q K A*\l*)*k+\) 

Definition The polynomial P(x) has the generator 

property if for random N£S„, all M proportional to 55 15 pseudo-random for every fixed k. The pseudo-ran- 

N 2 ^ and random xe[l t M] the number P(x) mod N is domness also holds if k=k(n) depends on n if k is 

pseudo-random in [1,N]. polynomially bounded in n, i.e. k^n* 1 ). Using the 

The generator property means that P stretches ran- above argument we can transform a test that e„-rejects 

dom seeds xct^NP^ into pseudo-random numbers P(x) (SPGjfc,/<xi,N) f x *+ 0 int0 a test tnat (e n A)-rejects P(x0 

mod N in the interval [l t N], By Hypothesis 2.1 RSA- 60 mod N. 

polynomials P(x)=x rf with gcd(d,<f>(N))=l and di=3 It is important that the above proof also applies to 

have the generator property. polynomials P(x)=x rf with even d. Instead of using the 

The sequential polynomial generator (SPG) gener- generator property of P we can use the extension to 

ates a sequence of numbers x=*i, X2, . . . , Xi, . . . , in even d of Hypothesis 2.1. Speaking informally, it does 

[l.N 2 ^ that are represented by bit strings of length 65 not hurt that x^(mod N) ranges over quadratic residues 

1:= L?n/dJ . The output at x/, Out(x/)«{0, l}"-', is the since the output merely contains the least significant bits 

bit string consisting of the n— 1 least significant bits of of x^mod N) and these bits give no efficient informa- 

the binary representation of P(x,-) mod N. The successor tion on the quadratic residuosity of x rf (mod N). Thus we 
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can use for random bit generation the polynomial 
P(x)=x 16 which yields particular efficient generators. 
PRACTICAL POLYNOMIAL GENERATORS 
For practical applications let N be a fixed product of 
two random primes p and q which each is 256 bits long. 5 
N^must be so large that it is infeasible to enumerate a 
non-negligible part of [l.N 2 ^. We recommend that 
dS16so that 

EXAMPLE 1 l0 

Let N be n=512 bits long and let gcd(15,<f>(N))=l. 
We choose d=15, P(x)=x 15 . Let Out(x/) consist of the 
440 least significant bits of P(x*) mod N and let x;+i be 
the number corresponding to the 68 most significant bits 
of P(x/) mod N. We compute x l5 (mod N) by computing 15 
x 2 , x 4 , x 8 , x 7 =x 4 . x 2 . x and x 15 =x 8 . x 7 (mod N). Only 
the last multiplication requires modular reduction. The 
other multiplications are with small numbers. The costs 
of one iteration step correspond to one full modular 
multiplication. Thus this SPG iteratively outputs 440 20 
pseudo-random bits at the cost of one full modular mul- 
tiplication with a modulus that is 512 bits long. 

EXAMPLE 2 

Another suitable polynomial is P(x) = x 1 6 even though 25 
this polynomial does not have the generator property. 
The computation of x 16 (mod N) is particularly easy; we 
compute x 2 , x 4 , x 8 and x 16 — x 8 . x 8 (mod N). The SPG 
with P(x)=x 16 iteratively outputs 448 bits at the cost of 
one full modular multiplication with a modulus N that is 30 
512 bits long. 

Next we are going to extend the SPG to a generator 
which we can speed by parallelization. The parallel 
polynomial generator (PPG) generates from random 
seed xc[l f N 27 ^ a tree with root x and outdegree at most 35 
d/2. The nodes of this iteration tree are pseudo-random 
numbers in fl l N 2/rf ) that are represented by bit strings of 
length 1. 

The successors y(l), . . . , y(s) of a node y with degree 
s and the output string Out(y) at y are defined as fol- 40 
lows. Let bu . . . , b n be the bits of the binary representa- 
tion of P(y) mod N, with bi being the most significant 
bit, i.e. 

45 

i t bt 2"-' = P(y) mod N. 

We partition the si most significant bits into s block with 
1 bits in each block. The corresponding numbers 50 



yift- * 1 + Z j ty- 1)/+/ 2'-'' forj 53 I s 

are the successors of node y in the iteration tree. The 55 
output Out(y) at node y consists of the remaining low 
order bits of P(y) mod N, 

Out(v)-6j/+|... An. 

60 

For convenience we denote the nodes on level k of the 
iteration tree as x(ji, . . . Jjt); x(ji, . . . , jfc- 1) is the direct 
predecessor of x(ji. . . . , j*) and j* ranges from 1 to 
Sk- 1 = "outdegree of x(ji, . . . , j*- i)". For simplicity we 
let the outdegree of node x(ji t . . . , j*) be a function 65 
depending on k only; we assume that s*^ 1. 

The parallel polynomial generator can be figured by 
the infinite tree of FIG. 7. 



009 

16 

We define the k-output PPGjt^(x,N) of the PPG with 
seed x as the concatenation of all bit strings Out(x(ji, . . 
• » j/)) on levels i with O^i^k, with respect to any effi- 
cient enumeration order, as e.g. preorder traversal, 
postorder traversal, inorder traversal or enumeration by 
levels. 

In the particular case that all outdegrees are one, i.e. 
so=si=. . . — s*= 1, the parallel and the sequential 
polynomial generator coincide. The argument of Gol- 
dreich, Goldwasser and Micali (1986) extends Theorem 
3.1 from the SPG to arbitrary PPG's, provided that we 
process at most polynomialiy many nodes in the itera- 
tion tree. This yields the following theorem. 

Theorem 3.2 Suppose that P has the generator prop- 
erty. Then for random NeSn, random xetl.21 the k-out- 
put PPG&X X 'N) °f the parallel polynomial generator is 
pseudo-random provided that the length of 
PPGfc,/( x »N) is polynomialiy bounded. 

Idea of proof 

There is a straightforward way to extend the proof of 
Theorem 3.1. Suppose that the k-output PPGjt,/<x,N) 
collects the outputs of k nodes. Then every statistical 
test that € n -rejects PPG^KXfN) for random xefl^N 2 /^ 
and random NeS n can be transformed into a statistical 
test that (€/t/E)-rejects P(x) mod N. 

For the output of the PPG we can use any efficient 
enumeration for the nodes of the iteration tree. To sup- 
port parallel evaluation we can adjust the shape of the 
iteration tree and the enumeration order to the number 
of available parallel processors. In Example 3 we form, 
for 8 parallel processors, an iteration tree consisting of 8 
rays attached to the root; the nodes are enumerated by 
levels and within levels from left to right. For m parallel 
processors we can use any iteration tree consisting of m 
isomorphic subtrees attached to the root; we can enu- 
merate, in any order, the m-tuples of corresponding 
nodes in these subtrees. The enumeration within the 
subtrees can be chosen to support fast retrieval; for this 
we can enumerate the nodes e.g. in preorder traversal 
or in inorder traversal. It is an obvious but important 
observation that m processors can speed the pseudo- 
random bit generation of the PPG by a factor m. Once 
we are given m nodes on the same level of the iteration 
tree we can process the subtrees below these nodes 
independently by m parallel processors. These proces- 
sors do not need to communicate. 

Corollary 3.3 Using m processors in parallel we can 
speed the pseudo-random bit generation of the parallel 
polynomial generator by a factor m. 

PRACTICAL PARALLEL POLYNOMIAL 
GENERATORS 

Let N be product of two random primes so that N is 
512 bits long. Let P(x)=x". 

EXAMPLE 3 

We construct from random xc[l,2 w ] a tree with 8 
nodes per level. (FIG. 8) 

1. Stretch a random seed x€[l ( 2 M ] into x I6 (mod N). 

2. Partition the binary representation of x 16 (mod N) 
into 8 bit strings x(l), .... x(8) of length 64. Put 
k=l and let PPGi^N) the empty string. 

3. For j= 1, . . . , 8 let x(j l*)e T 64 consist of the 64 most 
significant bits of the binary representation of x(j 
l*-') I6 mod N, and let Out(x(j l*))€l448 consist of 
the remaining 448 least significant bits. 

4. 
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generator associates an iteration tree to a random seed. 
For example let G n iln- *hn stretch a random strings in 
aFO* + iX**) = PPGwfrN) I Out(x(/ i*» l " iT "° Pseudo-random strings in l ?n . We construct from 

j- 1 random seed x cl n a binary iteration tree with nodes in 

5 I n . Let x be the root of the tree. Construct the two 
k - k : + l, go 10 3. successors y(l), y(2) and the output Out(y) of node y by 

partitioning G n (y)eh„ into three substrings of length n, 

Using 8 parallel processors this PPG iteratively gen- 
erates 8 . 448=3584 pseudo-random bits in the time for G n (y)=y(\)y(l) Out(y). 
one full modular multiplication with a modulus N that is \q 

512 bits long. With current processors for smart cards Let PGa,gOO be the concatenated output of all nodes 
such a full modular multiplication can be done in less with depth at most k (compare with the definition of 
than 0.2 sec. Thus 8 parallel processors can generate PPGjtX x »N))- 

about 18000 pseudo-random bits per sec. Theorem 3.5 Let (G n ) M Hbe any perfect RNG. Then 

EXAMPLE 4 15 for random seed X€l n the concatenated output PG^gOO 

of all nodes with depth 5 k is pseudo-random provided 
We construct from random xe[\,2 M ] a complete tree that its length is polynomially bounded in n. 
of outdegree 4. We illuminate our method of parallelization in apply- 

L Choose a random seed xcfl^ 64 ] for root of the tree. ing it to some less efficient versions of the RSA/Rabin 
2. For every node ycfl^ 64 ] of the tree compute the 2 o generator. Let N be a product of two random primes 
successors y(l), . . , , y(4) and the output Out(y) of such that N is 512 bits long and gcd(3,<f>(N))= 1. 
y l6 (mod N) by partitioning the binary representa- _ v # __ _ 

tionBofyi6(modN)as EXAMPLE 5 

From random seed xe[l,N] we generate the sequence 
s~Ji^BAOatoocr« 4 x/2S6 2 5 of numbers xi, x 2 , . . . , x;, . . . c[l,N] as 

and compute for i=l, ...» 4 *\=x, xi+i=x?{mod N)- 

y(i):«i+ "the number with binary representation Under the assumption that the RSA-enciphering 

B *"* 30 x-»* 3 (mod N) is safe for the particular N, Alexi et alii 

^ . . , _ , (1984) have shown that about the 16 least significant bits 

The main interest in such a PPG comes from fast re- of Me picIlto j llde p eildent fr om * + ,. This suggest 
tneval methods. ~c - 

Fastretrieval forthe PPG: If the PPG has a complete the f ° UoWmg ° UtpUt ° f * 
iteration tree one can efficiently retrieve substrings of Out(*/)="thc 16-ieast significant bits of x,'\ 

the output. Consider example 4 with a complete itera- 35 

tion tree of outdegree 4. Level k of the tree has 4* nodes Thus for random xt€[l,N] and under the assumption 

and the first k levels have about 4* . 5/4 nodes in total. that RSA-enciphering is safe we obtain pseudo-random 

Suppose the nodes of the tree are enumerated in bit strings 

preorder traversal. Each node yields 256 output bits. To 

retrieve node y we follow the path from the root to y. 40 

This requires processing and storage of at most k nodes 100 

and can be done at the costs of about k full modular f * 

multiplications. Once we have retrieved node y and 

stored the path from the root to node y, the bit string Qut(x/) of length 1600 . We apply a binary tree construe- 
that follows Out(y) in the output can be generated by « ^ ^ ^ function 
standard methods at the speed of 256 bits per modular 
multiplication. For most practical applications the G:lsi2— heoo 

depth k will be at most 30 which permits to generate a 

pseudo-random string that is 3.7 . 1020bits long. We see that stretches the binary representation of xie[l,N] into 
that retrieval of substrings is very efficient, it merely 50 
requires a preprocessing stage of a few seconds to re- 
trieve the initial segment of the substring. 

Theorem 3.4 Every node y of depth k in the iteration 
tree of the PPG can be accessed and processed at the 
costs of 0(k) modular multiplications. 55 

TABLE 

retrieval performance of the PPG, example 4 
k 5 10 15 20 25 30 

# nodes in 1280 1.3-10 6 1.3-10* 1.3-I0 12 1.4-I0 13 1.4-10 18 
The first k levels 

# output bits 3.310 5 3.M0 8 3.4-10" IP 14 3.6-10 17 3.M0 20 

Parallelization and fast retrieval for arbitrary perfect 
RNG's 65 OutOO- The binary tree has nodes in I512- The succes- 

It is an important observation that the above methods sors y(l), y(2) and the output of node y are obtained by 
of parallelization and of efficient retrieval apply to partitioning G(y) into two successor strings of length 
every perfect RNG (Gi,)«k. The parallel version of the 512 and an output string Outcry) dna- Processing a 
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. Blum, L., Blum, M. and Snub, NL: A simple unpre- 

tAAMf l^fc, dictable pseudo-random number generator. Siam J. on 

We can accelerate this generator under the reason- 5 computing (1986), pp. 364-383. 
able assumption that the 448 least significant bits of Blum, M. and Micali, S.: How to generate crypto- 
random X€[1,N] and the number x 3 (mod N) are pseudo- graphically strong sequences of pseudo-random bits, 
independent. We set Proceedings of the 25th IEEE Symposium on Founda- 

tions of Computer Science, IEEE, New York (1982); 
Out(*,);= M thc 448 least significant bits of xf , 10 ^ g iam j Comput I3 ( 19g4 ) f pp . 850-864. 

Goldreich, O., Goldwasser, S., Micali, S.: How to 
and it follows that Construct Random Functions. Proceedings of the 25th 

IEEE Symposium on Foundations of Computer Sci- 
3 t5 ence, IEEE, New York, (1984); also Journal ACM 33,4 
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o:isw-*ii344 of Computing, ACM, New York (1985) pp. 356-363. 

that stretches the binary representation of xie[l,N] into Stern ' J : Secret linear congruential generators are 

not cryptographically secure. Proceedmgs of the 28th 
25 IEEE-Symposium on Foundations of Computer Sci- 
ence (1987) pp. 421-426. 

3 Stiefel, E.: Einfuhrung in die numerische Math- 

* ematik. Teubner, Stuttgart (1969). 

Yao, A. C: Theory and applications of trapdoor 

rt 4/ v m. m /nw * . i . . 30 functions. Proceedings of the 25th IEEE Symposium on 

Outfo). The successors y(l), y(2)elsi2 and the output „ , ^ * ^ * e • tocc Z v i 
Outrfy^o of node y are obtained by partitioning SsSf^Ml ' 
G(y)€l,344 into two strings in 1 512 and Out^y)^. Nation has been particularly shown and 

Processmg * node of the binary tree costs 6 modular 4 bodiments 



thereof, it will be understood by those skilled in the art 



multiplications. 35 

EXAMPLE 7 that various changes in form and details may be made 

We can further speed up this generator under the * er f m ™ thout fr ° m * e B Pj r ** SC0 P e of 

assumption that the 448 leaTt significant bits of random the.nvent.on as defined by the appended clanns. 

x e[ l.N] are pseudo-indepe^ x>(mod N). (It ft* 40 Ta ^oom sequence generator for generating a 

lows from Alexi et alu ( 1984) that the 16 least significant , - M * , * u 
bite of random xc[l.N] are pseudo-independent of random sequence from a seed random sequence of sub- 
orned N) if factoring the particular N is tard. Under f™^? * °* er ^ ,he , « e " erator P^™"* a 
> ' . ° f , 4 A . tree operation by extending, at each node of a tree struc- 
this assumption we can replace the iteration . . ' j -^i j 
. . 45 ture, a node input random sequence into a longer node 

output random sequence, a plurality of node output 

*r- = *f+ 1 (mod JV) random sequences of the tree structure together com- 
prising a final random output sequence. 

by 2. A random sequence generator as claimed in claim 

50 1 wherein each node input sequence is extended by the 

x ( +\\ = xp- (mod N). operation 

As in Example 5 we associate with a random xc[l,N] a y=a ii x e +a e .ix* l + . . . + aijc+ao(mod AO 
binary iteration tree with nodes in I512* Processing a 

node of this tree costs about 4 modular multiplications 55 where e, a*, a<^i, . . . ,ao and N are integers, the node 

and yields 320 pseudo-random bits for output. input sequence represents x and the node output se- 

It is interesting to compare the efficiency of these quence represents y. 

parallel RNG's with the parallel RNG's based on Hy- 3. A random sequence generator as claimed in claim 

pothesis 2.1. For the latter RNG's in examples 1-4 the 2 wherein there is at least one aj of a<,, 

cost per node of the iteration tree is about 1 mulitplica- $o ae.1, . . . ,a] not equal to zero and the greatest common 

tion modulo N. This shows that the new perfect RNG's divisor of d and (f>(N) is equal to one where (J>(N) is 

are more suitable for our method of parallelization and Euler's Totient function. 

fast retrieval. 4. A random sequence generator as claimed in claim 

_ - 2 where N is the product of two large random primes p 

References , » _ 

65 and q. 

Alexi, W., Chor, B., Goldreich, O., and Schnorr, C. 5. A random sequence generator as claimed in claim 

P.: RSA and Rabin Functions: certain parts are as hard 4 wherein at least one a^of a e , a*,\ a3 is nonzero, and 

as the whole. Proceeding of the 25th Symposium on d is an integer that is relatively prime to (p- l)(q- 1). 
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6. A random sequence generator as claimed in claim ferent portions of a node output sequence in successive 

5 wherein all coefficients of the polynomial of y are operations at successive nodes of the tree structure, 
equal to zero except the coefficient a3. 18. A random sequence generator as claimed in claim 

7. A random sequence generator as claimed in claim 17 wherein each node input sequence is extended by the 

6 where a3 is equal to one. 5 operation 

8. A random sequence generator as claimed in claim 

1 wherein each node input sequence is extended by the j^ax^mod N) 

operation 

where N is the product of two large random prunes p 
y=ax d (mo4N) 10 and q, d is an integer that is relatively prime to 

(p— l)(q— 1), the node input sequence represents x and 
where N is the product of two large random primes p the node output sequence represents y. 
and q, d is an integer that is relatively prime to 19. A random sequence generator as claimed in claim 
(p— l)(q— 1), the node input sequence represents x and 18 wherein d is equal to 3. 

the node output sequence represents y. ^ 20. A random sequence generator as claimed in claim 

9. A random sequence generator as claimed in claim 17 wherein each node input sequence is extended by a 
8 wherein d is equal to 3. sin « le modular operation. 

10. A random sequence generator as claimed in claim 2i * A random sequence generator as claimed in claim 
1 wherein each node input sequence is extended by a wherein each node input sequence is extended by the 
single modular operation. 20 operation 

11. A random sequence generator as claimed in claim . Aft 
lwhereinlessthanaUofthebitsofnodeoutputsequen- ,-c*^t* N> 

ces are reapplied as node input sequences of the tree whfire ^ ^ ^ . . . (ao ^ N ^ integers, the node 

structure. 25 input sequence represents x and the node output se- 

U. A random sequence generator for generating a ^ ? nts $ md wherc there is at least onc wof 

random sequence from a seed random sequence of sub- £ * ^ ^ ^ tQ 2ero md the test con> 

stantiaUy shorter length, the generator performing a mQn diyisor of d ^ ^ b cqua i to one where (N) is 

tree operation by extending, at each node of a tree struc- Euler , s Totient faction. 

ture, a node input random sequence into a longer node 30 ^ A method of generating a random sequence from 

output random sequence, a final random output se- a see d random sequence of substantially shorter length, 

quence being generated as successive leaves of the tree comprising performing a tree operation by extending, at 

structure. eacn n0( j e 0 f me structure, a node input random 

13. A random sequence generator as claimed in claim scq uence into a longer node output random sequence, a 

12 wherein each node input sequence is extended by the 35 random output sequence being generated from 
operation successive leaves of the tree structure. 

. 23. A method as claimed in claim 22 wherein each 

y=*ax?(mod N) node input sequence is extended by the operation 

where N is the product of two large random primes p ^ y^a^tmod N) 
and q, d is an integer that is relatively prime to 

(p— l)(q— 1), the node input sequence represents x and where N is the product of two large random primes p 

the node output sequence represents y. and q , d is an integer that is relatively prime to 

14. A random sequence generator as claimed in claim (p_ j)( q _ i) t the node input sequence represents x and 

13 wherein d is equal to 3. 45 the node output sequence represents y. 

15. A random sequence generator as claimed in claim 24. A method as claimed in claim 23 wherein d is 
12 wherein each node input sequence is extended by a squal to 3. 

single modular operation. 25. A method as claimed in claim 22 wherein each 

16. A random sequence generator as claimed in claim node input sequence is extended by a single modular 
12 wherein each node input sequence is extended by the 50 operation. 

operation 26. A random sequence generator as claimed in claim 

22 wherein each node input sequence is extended by the 
operation 



y=a e x e +a^x e ' i + . . . -f aix+ao(raod JV) 



where e, a<., a^i, . . , ,ao and N are integers, the node 55 y^a^^ix 6 - 1 -^ . . . +ai*+aoanod N) 
input sequence represents x and the node output se- 
quence represents y, and where there is at least one a^ of where e, a*., a*-i, . . . ,ao and N are integers, the node 
a*, a#-i, . . . ,aj not equal to zero and the greatest com- input sequence represents x and the node output se- 
mon divisor of d and <f>(N) is equal to one where cf>(N) quence represents y, and where there is at least one of 
1 is Eider's Totient function. 60 a* a*. i f ... 33 not equal to zero and the greatest com- 
17. A random sequence generator for generating a mon divisor of d and <£(N) is equal to one where <j>(N) 
random sequence from a seed random sequence of sub- is Euler*s Totient function. 

stantially shorter length, the generator comprising a 27. A method of generating a random sequence from 

plurality of processors, each processor extending a node a seed random sequence of substantially shorter length 

input random sequence into a longer node output ran- 65 comprising performing a tree operation by extending, at 

dom sequence, each of the plurality of processors per- each node of a tree structure, a node input random 

forming a portion of a tree structure by extending a sequence into a longer node output random sequence, a 

node input sequence and then separately extending dif- plurality of node output random sequences of the tree 
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structure together comprising a final random output quence and an index input, the random sequence gener- 

sequence. ator performing a tree operation by extending, at each 

28. A method as claimed in claim 27 wherein each node of a tree structure, a node input random sequence 
node input sequence is extended by the operation into a longer node output random sequence. 

5 38. An encryption system as claimed in claim 37 
y^cj^imod N) wherein each node input sequence is extended by the 

operation 

where N is the product of two large random primes p 

and q, d is an integer that is relatively prime to y^a^ixood JV) 

(p — l)(q — 1), the node input sequence represents x and jq 

the node output sequence represents y. wne re N is the product of two large random primes p 

29. A method as claimed in claim 28 wherein d is and q, a is an integer that is relatively prime to 
equal to 3. (p_ l)(q— l), the node input sequence represents x and 

30. A method as claimed in claim 27 wherein each tne node output sequence represents y. 

node input sequence is extended by a single modular , 5 39t ^ encryption system as claimed in claim 38 
operation. , . ■ . . wherein d is equal to 3. 

31. A random sequence generator as claimed in claim 40 An encryption system as claimed in claim 37 
27 wherein each node input sequence is extended by the whe rein each node input sequence is extended by a 
operation single modular operation. 

- , -.1 , ( . . .„ 20 41. An encryption system as claimed in claim 37 

wherein the random sequence applied to the encryption 
where e, a* a^, . . . ,aoand N are integers, the node comprises a plurality of node output random se- 

input sequence represents x and the node output se- * uence A s of the tree structure. 

quence represents y, and where there is at least one a* of e «• An encryption system as claimed in clam 41 
a* vi, . . - * not equal to zero and the greatest com- 25 wherem the ran ^ ora sequence applied to the encryption 
mon divisor of d and <f>(N) is equal to one where <f>(N) wt * gyrated as successive leaves of the tree struc- 
is Euler's Totient function. ture ' 

32. A method of generating a random sequence from An encryption system as claimed in claim 37 
a seed random sequence of substantially shorter length , A wherein the random sequence generator comprises a 
comprising in each of a plurality of processors, extend- 30 P^ahty of processors, each of the plurality of proces- 
ing a node input random sequence into a longer node sors performing a portion of the tree structure, 
output random sequence, each of the plurality of pro- A random sequence generator as claimed in claim 
cessors i>erfonning a portion of a tree structure by ex- 37 wherein each node input sequence is extended by the 
tending a node input sequence and then separately ex- operation 

tending different portions of a node output sequence in ^. , J ^ 

successive operations at successive nodes of the tree 

St 33.T'method as claimed in claim 32 wherein each whe f e ' ^ a *>' ■ ■ • • a ° 4 and N are integers, the node 
node input sequence is extended by the operation m P ut presents a and the node output se- 

r ^ 40 quence represents y, and where there is at least one a^of 

^-a^Onod N) fy* a <?-i> - • • » a 3 not equal to zero and the greatest com- 

mon divisor of d and <f>(N) is equal to one where <|>(N) 
where N is the product of two large random primes p » Euler's Totient function. 

and q, d is an integer that is relatively prime to 45. A method of message encryption comprising gen- 
(p_l)(q— 1) # the node input sequence represents x and 45 crating a random sequence from a seed random se- 
the node output sequence represents y. quence and an index input, the random sequence being 

34. A method as claimed in claim 33 wherein d is generated in a tree operation by extending, at each node 
equal to 3. °f a tree structure, a node input random sequence into a 

35. A method as claimed in claim 32 wherein each longer node output random sequence and, based on the 
node input sequence is extended by a single modular 50 extended random sequence, performing a transform 
operation. between encrypted and nonencrypted messages; 

36. A random sequence generator as claimed in claim A method as claimed in claim 45 wherein each 
32 wherein each node input sequence is extended by the node input sequence is extended by a single modular 
operation operation. 

55 47. A method as claimed in claim 45 wherein the 
y=a e x?4-a e .ixr l + /. . +aix±atfmod N) random sequence applied to the encryption unit com- 

prises a plurality of node output random sequences of 
where e, a*, a^i, . . . ,ao and N are integers, the node the tree structure. 

input sequence represents x and the node output se- 48. A method as claimed in claim 47 wherein the 
quence represents y, and where there is at least one a^of 60 random sequence applied to the encryption unit is gen- 
ae, a^.i, . . . ,a3 not equal to zero and the greatest com- erated as successive leaves of the tree structure, 
mon divisor of d and 4>(N) is equal to one where </>(N) 49. A method as claimed in claim 45 wherein the 
is Euler's Totient function. random sequence generator comprises a plurality of 

37. An encryption system comprising an encryption processors, each of the plurality of processors perfonn- 
unit for performing a transform between encrypted and 65 ing a portion of the tree structure. 

nonencrypted messages, based on an extended random 50. A random sequence generator as claimed in claim 
sequence, and a random sequence generator for gener- 45 wherein each node input sequence is extended by the 
ating the random sequence from a seed random se- operation 



03/31/2004, EAST Version: 1.4.1 



25 



4,944,009 



26 



y=a t a*+a ff .\x?'* + . . . +a\x+ao(mod N) 

where e, a*, a*.i, . . . ,ao and N are integers, the node 
input sequence represents x and the node output se- 
quence represents y, and where there is at least one a^of 
a* ag.i t . . . ,a3 not equal to zero and the greatest com* 
mon divisor of d and <}>(N) is equal to one where <f>(N) 
is Euler's Totient function. 

51. A method of generating a random sequence from 
a random seed comprising, in each of iterative steps, 
applying a function to an input string of random bits to 
obtain an output string of bits, significantly less than all 
of an output string of bits being used in an input string 
of bits in each successive step, and utilizing other bits of 
the output string toward the random sequence. 

52. A method as claimed in claim 51 wherein each 
input string is about 1 or less of the bits of the output 
string from the previous step. 

53. A method as claimed in claim 51 wherein the 
other bits utilized toward the random sequence are a 
part of the generated random sequence. 

54. A method as claimed in claim 51 wherein the 
iterative steps are performed in a tree operation and the 
function is also applied to the other bits of the output 
string utilized toward the random sequence. 

55. A method as claimed in claim 51 wherein each 
output string of bits is obtained by the function 

^=a < jt*+fle-I JC '* l + • ■ • +atx+flo(inod N) 

where e, a*, a*_i, . . . ,ao and N are integers, the input 
string represents x and the output string represents y 
and where the number of bits in x is significantly less 
than the number of bits in N. 

56. A random sequence generator as claimed in claim 
51 wherein each input string of bits is extended by the 
function 



where e, a^, a*.], . . . ,ao and N are integers, the input 
string represents x and the output string represents y, 
and where there is at least one aa of a ft a^i, . . . ,a3 not 
5 equal to zero and the greatest common divisor of d and 
<f>(N) is equal to one where <f>(N) is Euler's Totient 
function. 

57. A method of generating a random sequence from 
a random seed comprising, in each of iterative steps, 

10 applying a function to an input string of random bits to 
obtain an output string of bits, significantly less than all 
of an output string of bits being used as an input string 
of bits in each successive step, at least some of the bits of 
each output string being a part of the generated random 

IS sequence. 

58. A method as claimed in claim 57 wherein each 
input string is about § or less of the bits of the output 
string from the previous step. 

59. A method as claimed in claim 57 wherein each 
20 output string of bits is obtained by the function 

where e, ae, a^i, . . . ,ao and N are integers, the input 
25 string represents x and the output string represents y 
and where the number of bits in x is significantly less 
than the number of bits in N. 

60. A random sequence generator as claimed in claim 
57 wherein each input string of bits is extended by the 

30 function 

y=a& t +a<AX tAj r . . . + a|*-i-ao(mod /V) 

where e, a*» a*i, . . . ,ao and N are integers, the input 
35 string represents x and the output string represents y, 
and where there is at least one a^ of a tf , a^i, . . , ,aa not 
equal to zero and the greatest common divisor of d and 
4>(N) is equal to one where <f>(N) is Euler's Totient 
function. 
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